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METHOD AND DEVICE FOR CONFIGURING A FIREWALL IN A COMPUTER 



SYSTEM 



M The present invention concerns the field of firewalls in a computer system, and more 
i^ifically the configuration of firewalls. 



The Prior Art 



A firewall is a machine or group of machines that makes it possible to protect the 
10 junction between an internal network and an external network like the Internet against 

unauthorized, or even malicious, intrusions. It is noted that the Internet consists of a set of 
S interconnected networks and machines around the world, allowing users throughout the world 
£ to share information, 

g The term "machine" in the present specification represents a very broad conceptual 

a 15 unit that includes hardware and/or software. The machines can be very diverse, such as 
: workstations, servers, routers, specialized machines and gateways between networks. 

O All of the messages flowing between the internal and external network must pass 

ni through the firewall, which examines each message and blocks those that do not comply with 
S given access control rules. The firewall is one element of a global security policy, integrated 
20 into an increasingly rich applicative environment and designed to protect computer resources. 

Firewalls are used, in particular, to prevent unauthorized Intemet users from accessing 
internal networks connected to the Litemet, to give a user of an internal network secure, 
access to the Intemet, to separate a company's public machines allowing access to the hitemet 
from its intemal network, so as to create a partition in a given network so as to protect the 
25 partitioned segments of intemal networks. 

The firewall is embodied, for example, by a dedicated machine that controls access to 
the various machines of a given intemal network. 

To do this, the firewall controls which machines and/or which users and/or which 
services or applications of an intemal network can access which machines and/or which users 
30 and/or which services or applications of an external network and vice versa. 

Machines belonging to the Intemet use the TCP/IP protocol. The firewall filters 
TCP/IP communications. The firewall manipulates applicative data, information transmitted 
in the part reserved for data in the headers of TCP/IP datagrams. 



The filtering criteria are, to give a non-limiting example: 

■ the calling address, 

■ the address called, 

■ the application called. 

The complexity of a firewall configuration is illustrated by the following example, 
which can be applied to most of the partitioned architectures in enterprise networks. 

Let us consider the case of an enterprise network comprising n firewalls named NWi, 
. . . , NWn connected to subnetworks. 

We would Uke to apply a security policy according to which, in each subnetwork CCi, 
a workstation (client station) Q is authorized to access a server Si located in a subnetwork 
SSi. The subnetworks CCj and SSi are connected to one and the same firewall NWi. 

This example can, of course, be extended to include several workstations that are 
authorized to access several servers. 

With conventional firewall configuration systems, administrators work in two ways: 

• Defining two groups, respectively containing the workstations and the servers. 
Then defining a rule authorizing the workstation group's access to the server group. This way 
of working makes it possible to authorize, in a single rule, each station's access to the server 
connected to the same firewall (Ci -> S,), but also authorizes the stations' access to all the 
other servers connected to other firewalls NWj (Ci -> Sj). This is not the desired security 
policy. 

Defining in each firewall the specific rules authorizing, one by one, each 
workstation's accesses to the server that corresponds to it. This way of working quickly 
becomes complicated, even difficult, to put into practice as the number of firewalls, the 
number of workstations, or the number of servers increases. 

Simplifying the configuration is a priority for a firewall administrator. 

The current known solutions for attempting to resolve the problem of complexity in 
the configuration are the following. 

There is a known system marketed under the name Net Partitioner and produced by 

the Solsoft company. 

The Net Partitioner device allows the administrator to graphically represent his entire 
network, with the installation of the firewalls and the various servers and workstations that 
belong to it. The machines are represented by icons and their interconnections by lines 
connecting them. 
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Th6 administrator also defines, in the form of arrows, the ways in which the machines 
can access other machines and the appUcations they host. 

This solution makes it possible to define groups of computers, as well as rules for 
controlling access between these groups. On the other hand, the rules define the access of all 
5 the elements of a group to all the elements of another group, which complicates the 
configuration procedure. 

The description of the system, (i.e. all of the machines present in the form of icons 
and their interconnections in the form of lines), and the specification of the rules applied to 
the system and represented in the form of arrows, are combined in the same graphical 
10 interface. The more machines, and the more connections between these machines, the system 
^ comprises, the more difficult it is for the administrator to describe the system via the 
interface. 

^ Moreover, the Net Partitioner device does not provide for any transfer of rules fi*om 

G said device to the firewalls in question, or for any retrieval of the new security policy. The 
rt5 administrator himself must configure each of the firewalls fi"om the results obtained by the 
Net Partitioner device. 

Q Therefore, this solution does not make it possible to simplify the configuration 

111 procedure. 

One object of the present invention is to simplify the configuration of a large number 
1=^0 of firewalls. 

Summary of the Invention 

In this context, the present invention offers a method for configuring a firewall in a 
25 computer system comprising objects, the objects for which an access control policy is 

established being called resources, characterized in that it groups the objects of the system 
into protection domains, each firewall ensuring the protection of an internal domain relative 
to an external domain, and applies to the firewall in question a rule for controlling access 
between a source resource and a destination resource only if said source and destination 
30 resources belong to the same protection domain. 

The present invention also relates to the system for implementing said method. 
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Presentation of the Figures 



Other characteristics and advantages of the invention will emerge in light of the 
following description, given as an illustrative and non-limiting example of the present 
invention, in reference to the attached drawings in which: 

• Fig, 1 is a schematic view of the system according to one embodiment of the 
invention; 

• Fig. 2 is a copy of a screen of a graphical interface presenting the firewalls of the 
system according to Fig. 1 and their properties; 

• Fig. 3 is a copy of a screen of a graphical interface presenting groups of machines 
in the system according to Fig, 1; 

• Fig. 4 is a copy of a screen of a graphical interface presenting access control rules 
in the system according to Fig. L 

Description of an Embodiment of the Invention 

As shown in Figs, 1 through 4, the present invention relates to a method for 
configuring a firewall 1 in a computer system 2. 

The computer system 2 is distributed and comprises objects 3, users and firewalls 1, 
An object 3 is a very broad conceptual unit that includes hardware and/or software. The 
objects 3 can be very diverse, such as networks, subnetworks, workstations, servers, routers, 
specialized machines and gateways between networks, and applications. Only the 
components of the objects 3 of the system 2 that are characteristic of the present invention 
will be described, the other components being known to one skilled in the art. The objects 3 
between which access control rules constituting the security policy of the system 2 are 
defined are called resources 4. 

As represented in Fig. 1, the firewalls 1 protect an internal domain 5 (Dl, D2, D3) 
relative to an external domain 6 (backbone). An administrator 7 defines for each firewall 1 
the internal domain 5 that constitutes the firewall's protection domain. The firewall's 
protection domain represents what the administrator wishes to protect by means of said 
firewall relative to what he wants to protect it from, i.e. the external domain. 

Each of the two internal 5 and external 6 protection domains is constituted by zones 8 
comprising one or more networks or subnetworks 9 of machines. A zone 8 is a part of the 



system 2 that is separated from the rest of the system by one or more firewalls. The zones 8 
are connected to the firewall 1 in question by several network interfaces 10. The 
administrator 7 determines, for each zone 8 connected to each firewall, whether the zone 8 is 
inside the protection domain 5 of the firewall (internal zone) or whether it is outside it 

5 (external zone), i.e., whether it is directly protected by the firewall or whether it is a zone for 
providing a connection between the firewalls, or between the various protection domains, 
which is essentially the same thing. 

In the exemplary embodiment illustrated in Fig, 1, each protection domain 5 Dl, D2, 
D3 is controlled by a firewall 1, respectively NWl, NW2, NW3. Each of the firewalls NWl, 

10 NW2, NW3 is connected to a zone 8 comprising an internal subnetwork 11, respectively Ii, 
I2, 13, and to a zone 8 comprising a subnetwork 12 of the "demilitarized zone" type, 
respectively DMZi, DMZ2, DMZ3. The subnetworks 1 1 and 12 are inside the protection 
domain 5. 

A subnetwork of the "demilitarized zone" type is a buffer subnetwork, creating a sort 
15 of screen between an internal and external network in order to reinforce its protection. 

Each firewall 1 is connected to a zone 8 of the external domain 6 comprising a so- 
called backbone network 13. The zone 8 of the external domain 6 comprising the network 13 
is called the backbone zone. The backbone zone 8 constitutes the connection of the internal 
domain 5 to the rest of the network in question, and represents the outside of the domain 5 in 
20 question. 

According to one development of the invention, the backbone zone 8 comprises a 
central configuration machine 14 from which the global configuration of the system 2 is 
performed. The global configuration of the system 2 can be performed, for example, as 
explained in the French patent application filed by the present AppUcant on the same day as 

25 the present application, the title of which is "METHOD AND DEVICE FOR 

CENTRALIZED FIREWALL CONFIGURATION IN A COMPUTER SYSTEM." The 
central configuration machine 14 offers a graphical interface 15 that allows the administrator 
7 to perform said configuration. The graphical interface 15 is illustrated in Figs. 1 through 4. 
The present invention is described below in the embodiment of the system illustrated 

30 in Figs. 1 through 4, which consists in a central configuration of the firewalls. The method 
according to the invention described for said embodiment can be applied to an isolated 
firewall without a central configuration. 
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In the embodiment illustrated in Fig. 2, the administrator 7 enters the definitions of 
the firewalls 1, the domains 5, 6 and the network interfaces 10 through the graphical interface 
15. The screen of the interface 15 is divided into three windows: an object window 16 on the 
left side of the screen of the machine 14, an attribute window 17 on the right side of the 
5 screen of the machine 14, and a rule window 18 at the bottom of the screen. In the object 
window 16, when a "Netwalls" tab 19 is selected, all of the firewalls NWl, NW2, NW3 of 
the system 2 are indicated. In the attribute window 17, when a "Properties" tab 20 is selected, 
the properties of the firewall highlighted in the left-hand part (in this case NWl) are indicated 
in a zone table 21. 

10 The administrator defines the properties of the firewall 1 in the following way. The 

O firewall NWl has three network interfaces 10, mentioned in the "Name" column 22 with the 
Cl zones 8 indicated in the "Zone" column 23: a network interface NWl with the zone of the 
;F subnetwork II, a network interface NWl_dmz with the zone of the subnetwork DMZi, and a 

IB network interface NWl_backbone with the backbone zone. The properties are similar for the 

^ 15 firewalls NW2 and NW3. An "Address" column 24 in the table 21 indicates the addresses of 

the network interfaces whose names are located on the same lines, 
y An "Is External" column 25 of the zone table 21 makes it possible to specify, for each 

: network interface 10, whether said network interface is attached to a zone 8 outside the 

O protection domain 5 (the value "true") or inside the protection domain (the value "false"). 

20 In the example in question, the network interfaces NWl_dmz and NWl are attached 

to zones 8 (subnetworks DMZi, Ii) inside the protection domain 5, while the network 
interface NWl_backbone (backbone network) is outside the protection domain (configuration 
similar for the firewalls NW2 and NW3). 

Each firewall provides access control for both the communications between the 
25 domains 5 and the communications between the zones 8 inside the domain 5 for which it is 
responsible. One part of the security policy concerns access control between the domains; 
another part of the security policy concerns access control between the zones inside the 
domain controlled by the firewall. 

The invention consists of defining an operation for factoring the access control rules 
30 constituting the access control policy so as to minimize the number of filtering rules to be 
declared by the administrator. 

To this end, the administrator 7 joins into the same groups the objects 3 of the system 
2 (in the example illustrated, workstations and servers) for which the same security policy is 



applied. In the example illustrated in Fig, 1, workstations 26 Cu C2, C3 are an integral part of 
the respective internal subnetworks Ij, I2, 13; servers 27 Si, S2, S3 respectively belong to the 
subnetworks DMZj, DMZ2, DMZ3. The domain Dl groups the zone comprising the internal 
subnetwork II with the workstation CI and the zone comprising the subnetwork DMZl with 

5 the server 81. In the example illustrated, only one workstation belongs to the internal 

subnetwork II; the subnetwork II could contain several workstations C11,C12, C13, ...,Clk 
and/or any other types of machines. Likewise the subnetwork DMZl could contain several 
servers Sll, S12, 813, 81m and/or any other types of machines. The same reasoning is 
applicable to the other domains and zones. 

10 The administrator 7 can, for example, group the machines Ci, C2, C3 into a group of 

workstations 26 and the machines Si, S2, S3 into a group of servers 27. 

The invention consists of declaring, among the types of groups defined by the 
administrator, access control rules whose scope is limited to each firewall or extended to the 
system 2. The administrator specifies for the access control rules whether the scope is local to 

15 the firewall or global. 

A rule of local scope defines the access relationships between the resources 4 of two 
groups, said resources belonging to the same protection domain. The local scope makes it 
possible to limit the rule to accesses inside the protection domain 5. 

In the example mentioned above, a rule of local scope defines an access relationship 

20 of the group (Ci, Q) to the group (Si, Sn) involving an access from the resource Q to 
the resource S\, without establishing a relationship of Ci to Sj, with j different from i. When 
there are several workstations and servers as see above, the principle is the same: the rule of 
local scope defines an access relationship of the group (Cu, C12, Cik, Cni, Cn2.-) to 
the group (Sn, 812, Sim, Sni, Sn2*.0 using an access from the resource Cik to the 

25 resource Sim, without establishing a relationship of Cik to Sjm, with j different from i, no 
matter what k and m are. 

A rule of global scope defines the possible access relationships between two groups in 
the system 2 as a whole. 

A rule of global scope is saved and can always be used by the administrator to handle 

30 general cases of the security policy. Rules of global scope govern the access relationships of 
the group (Ci, Cn) to the group (Si, Sn) and establish all the relationships of Ci to Sj, 
for i and j varying from 1 to n. When there are several workstations and servers as seen 
above, the rule of global scope defines an access relationship of the group (Cn, C}2, Cik? 
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Cni, Cn5...) to the group (Sn, S^, Sim, Sni, Sn2*.0 using an access from the 
resource 0± to the resource Sim no mater what i, j and m are. 

The "local" or "global" scope attribute of each rule is attached to each rule in such a 
way that each firewall individually knows the scope of the rules. 

5 In the embodiment illustrated in Figs. 3 and 4, the administrator would like to 

implement an access control policy in which the resources of each internal subnetwork li (i in 
this case varying from 1 to 3) of each protection domain 5 can access the resources of the 
subnetwork DMZ (i in this case varying from 1 to 3) of the same protection domain 5, 
without authorizing access between one internal subnetwork li of a given domain and the 

10 subnetwork DMZj, with j different from i, of another domain (for example access between the 
subnetwork Ii and the subnetwork DMZ2). 

As shown in Fig. 3, the administrator, using the graphical interface 15, groups the 
zones of the internal subnetworks Ii, h, I3 into the group of internal subnetworks G_I and the 
zones of the subnetworks DMZi, DMZ2, DMZ3 into the group G_DMZ. In the object window 

15 16, a "Resources" tab 28 having been selected, it is indicated that the group G„DMZ 

comprises ANy_DMZi, ANY_DMZ2, ANY^DMZs, i.e. all of the objects of the subnetworks 
DMZi, DMZ2, DMZ3. 

The administrator then defines, in the rule window 18, the rules of local or global 
scope. In the example illustrated in Fig, 4, a rules table 28 in the rule window 18 that makes it 

20 possible to define the rules is displayed in the attribute window 17 when a "Rules" tab 30 is 
selected. The attribute window 17 shows that the administrator has defined, by means of the 
table 29 of the window 18, a rule of "local" scope allowing access from the group G_I to the 
group G_DMZ, the rule thus defined being displayed in the table 29 of the attribute window 
17. 

25 The rules table 29 comprises a "Name" column 31 for identifying the access control 

rule, a "Source" column 32 for designating the source group of the rule, and a "Destination" 
column 33 for designating the destination group of the rule. 

The scope of the rule is defined in a "Scope" column 34 and can have the values 
"LOCAL" for a local scope or "GLOBAL" for a global scope. In the example illustrated, the 
30 scope of the rule has the default value "GLOBAL." 

The method according to the present invention works in the following way: 
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Wten the firewall applies the access control (for example during an attempt to 
establish a connection), the firewall 1 analyzes the scope attribute of the rule governing the 
control of the current access. 

If the rule is of global scope, it is applied without any additional control: access is 
5 authorized or denied based on the instructions given by the rule. This is a standard firewall 
operation. 

If the scope of the rule is local, the firewall determines the incoming and outgoing 
network interfaces 10 for the current traffic and analyzes whether these network interfaces are 
attached to the internal 5 or external 6 domain. 

10 If both the incoming and outgoing network interfaces 10 are attached to the internal 

domain 5, the current traffic is within the firewall's protection domain 5; the rule is therefore 
applied and the access is authorized or denied based on the instructions given by said rule. 

If one of the two network interfaces 10 is attached to the external domain 6, the 
current traffic is not within the firewall's protection domain 5; the rule in question is not 

15 applicable for the profile of the current traffic. 

In the example illustrated, no firewall connecting the domains Dl, D2, D3 to one 
another has been provided. The invention is not concerned with linked domains. The 
interfaces associated with linked domains are automatically attached to an external domain, 
which means that the "Is External" column has the true value. 

20 In the example illustrated in Figs. 2 through 5, the method works in the following 

way. 

During an access from the subnetwork Ij to the subnetwork DMZi, the firewall NWi 
determines that the traffic enters through the network interface 10 NWi and leaves through 
the network interface 10 NWi_dnaz. Said network interfaces NWi and NWi_dmz are 

25 declared to be inside the protection domain of the firewall in question. The firewall NWi 
authorizes the access. The mechanism is similar for accesses from the subnetwork h to 
DMZ2, through NW2, and from I3 to DMZ3 through NW3, 

During an access from the subnetwork Ii to the subnetwork DMZ2, the firewall NWi 
determines that the traffic enters through the network interface NWi and leaves through the 

30 network interface NWi_backbone. The first network interface NWi is declared to be inside 
the protection domain 5, while the second interface NWi_backbone is declared to be outside 
the protection domain 5. The traffic is not limited to the protection domain 5, and the firewall 
NWi does not authorize the access. 
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In the same way, the firewall NW2 detects that the traffic in question enters through 
the network interface NW2_backbone and leaves through the network interface NW2_dmz. 
The network interface NW2_backbone is attached to a subnetwork outside the protection 
domain; the traffic is not limited to the protection domain of the firewall NW2 and is blocked 
5 by the latter. 

The present invention relates to the method for configuring a firewall 1 in a computer 
system 2 comprising objects 3, the objects 3 for which an access control policy is established 
being called resources 4, characterized in that it groups the objects 3 of the system into 
protection domains 5, 6, each firewall 1 ensuring the protection of an internal domain 5 
10 relative to an external domain 6, and applies to the firewall in question a rule for controlling 
access between a source resource 4 and a destination resource only if said source and 
destination resources belong to the same protection domain 5 or 6. 

The method determines the protection domain of the resources 4 by means of the 
network interfaces 10 of the firewall in question, interfaces through which the 
15 communications pass in order to reach said resources. 

The method defines the zones 8 comprising networks or subnetworks; it associates the 
network interfaces 10 of the firewalls to which said zones are connected with an internal or 
external domain; it determines the incoming and outgoing network interfaces 10 of the 
current traffic; it analyzes whether said network interfaces are attached to an internal or 
20 external domain; it applies the rule only if both network interfaces are attached to the same 
internal domain 5, which corresponds to the fact that the resources belong to the same 
protection domain. 

The method composes the groups of objects 3 for which the access control policy is 
identical and applies the rule between each of the resources of a source group and a 
25 destination group. 

The method characterizes the rule with a local or global scope, and it applies the rule 
to the resources in question only if said resources belong to the same protection domain 5 or 
6 when the scope of the rule is local, and applies the rule to all of the resources in question 
when the scope of the rule is global. 
30 The present invention also concerns the device for implementing the method 

described above. 

The present invention also relates to the device for configuring a firewall 1 in the 
computer system 2, characterized in that it comprises the central configuration machine 14 
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that makes 'it possible to group the objects 3 of the system into protection domains, each 
firewall 1 ensuring the protection of an internal domain 5 relative to an external domain 6, 
and to apply to the firewall in question a rule for controlling access between a source resource 
4 and a destination resource only if said source and destination resources belong to the same 
5 protection domain 5 or 6. 

The device comprises the graphical interface 15 from which an administrator 7 can 
enter the protection domains 5 and 6 and the access control roles. 

The graphical interface allows the administrator 7 to define a local or global scope for 
the access control rule, and the machine 14 applies the rule to the resources in question only 
10 if said resources belong to the same protection domain 5 or 6 when the scope of the rule is 
local, and appUes the rule to all of the resources in question when the scope of the rule is 
global. 
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CLAIMS 

1 1. Method for configuring a firewall (1) in a computer system (2) comprising 

2 objects (3), the objects (3) for which an access control policy is established being called 

3 resources (4), characterized in that it groups the objects (3) of the system into protection 

4 domains (5, 6), each firewall (1) ensuring the protection of an internal domain (5) relative to 

5 an external domain (6), and applies to the firewall in question a rule for controlling access 

6 between a source resource (4) and a destination resource only if said source and destination 

7 resources belong to the same protection domain (5) or (6). 

1 2. Method according to claim 1, characterized in that it determines the protection 

2 domain of the resources (4) by means of the network interfaces (10) of the firewall in 

3 question, interfaces through which the communications pass in order to reach said resources. 

1 3. Method according to claim 2, characterized in that it defines the zones (8) 

2 comprising networks or subnetworks, in that it associates the network interfaces (10) of the 

3 firewalls to which said zones are connected with an internal or external domain, in that it 

4 determines the incoming and outgoing network interfaces (10) of the current traffic, in that it 

5 analyzes whether said network interfaces are attached to an internal or external domain, and 

6 in that it applies the rule only if both network interfaces are attached to the same internal 

7 domain (5), which corresponds to the fact that the resources belong to the same protection 

8 domain. 

1 4. Method according to any of claims 1 through 3, characterized in that it 

2 composes groups of objects (3) for which the access control policy is identical and applies the 

3 rule between each of the resources of a source group and a destination group. 

1 5. Method according to any of claims 1 through 4, characterized in that it 

2 characterizes the rule with a local or global scope, in that it applies the rule to the resources in 

3 question only if said resources belong to the same protection domain (5) or (6) when the 

4 scope of the rule is local, and in that it applies the rule to all of the resources in question when 

5 the scope of the rule is global. 
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1 6. * Device for implementing the method according to any of claims 1 through 5. 

1 7. Device for configuring a firewall (1) in a computer system (2) comprising 

2 objects (3), the objects (3) for which an access control policy is established being called 

3 resources (4), characterized in that it comprises a central configuration machine (14) that 

4 makes it possible to group the objects (3) of the system into protection domains, each firewall 

5 (1) ensuring the protection of an internal domain (5) relative to an external domain (6), and to 

6 apply to the firewall in question a rule for controlling access between a source resource (4) 

7 and a destination resource only if said source and destination resources belong to the same 

8 protection domain (5) or (6). 

1 8. Device according to claim 7, characterized in that it comprises a graphical 

2 interface (15) from which an administrator (7) can enter the protection domains (5) and (6) 

3 and the access control roles. 

1 9. Device according to either of claims 7 and 8, characterized in that the 

2 graphical interface allows the administrator (7) to define a local or global scope for the access 

3 control rule, and in that the machine (14) applies the rule to the resources in question only if 

4 said resources belong to the same protection domain (5) or (6) when the scope of the rule is 

5 local, and applies the rule to all of the resources in question when the scope of the rule is 

6 global. 

1 10. Software module for implementing the method according to any of claims 1 

2 through 5. 

1 #9 1 30600-US3845/PB-T2 1 47-90676 1 
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